Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Appropriate PIX logging level
From: Chuck Swiger <chuck () codefab com>
Date: Thu, 04 May 2006 10:24:31 -0400

ArkanoiD wrote:
Well, does that mean that syslog should be either not reliable (generic datagram), not portable enough (sdsc), buggy (nsyslogd) or suffering
performance problems (ng) ;-)?

You can get reliable logging with a stock BSD-flavor syslogd if you talk to it via a named pipe (ie, /var/run/log or equivalent).

In many cases, you want to compress & summarize repeated output, or perform your initial analysis-identification-filtration steps first and forward on a summary and the interesting stuff on the devices generated the logging before you smother some dedicated central "logger" host in a huge volume of low-value syslog network traffic.

If you've got less than 10MB of data per day (~ 100K events or logfile lines), you probably don't need to worry about that or keeping several years worth of data around.

On the other hand, when a single busy host can generate 100MB to 1GB of loggable data per day just running a medium-busy website, understanding what your volume is, what your ability to process it meaningfully over longer intervals is and is contrained by (disk space, log analysis processing time, others), becomes more important.

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]